70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 - PowerPoint PPT Presentation

Slide1 l.jpg
Download
1 / 52

70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003. Chapter Twelve Implementing Terminal Services and Remote Access. Objectives. Install and configure Terminal Services Describe remote access features and protocols

Related searches for 70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003

Chapter Twelve

Implementing Terminal Services and Remote Access


Objectives l.jpg

Objectives

  • Install and configure Terminal Services

  • Describe remote access features and protocols

  • Configure security features for remote access

Guide to MCSE 70-270, 70-290


Implementing terminal services l.jpg

Implementing Terminal Services

  • Terminal Services: Provides remote access to a server desktop

    • Through “thin client” software

    • Transmits only program’s user interface to client

    • Centralized control of applications

  • Remote Desktop for Administration: Enables administrators to connect to a server for administrative purposes

    • Disabled by default

Guide to MCSE 70-270, 70-290


Enabling remote desktop for administration l.jpg

Enabling Remote Desktop for Administration

  • Only need to change a single setting in System Properties dialog box

    • By default, Administrators group members can connect via Remote Desktop for Administration

      • Can grant other users access

  • Activity 12-1: Enabling and Testing Remote Desktop for Administration

    • Objective: Enable and test Remote Desktop for Administration

Guide to MCSE 70-270, 70-290


Enabling remote desktop for administration continued l.jpg

Enabling Remote Desktop for Administration (continued)

Figure 12-1: The Remote tab of the System Properties dialog box

Guide to MCSE 70-270, 70-290


Enabling remote desktop for administration continued6 l.jpg

Enabling Remote Desktop for Administration (continued)

Figure 12-2: Entering a user name, password, and domain name for Remote Desktop Connection

Guide to MCSE 70-270, 70-290


Implementing terminal services7 l.jpg

Implementing Terminal Services

Table 12-1: Benefits of Terminal Services

Guide to MCSE 70-270, 70-290


Implementing terminal services continued l.jpg

Implementing Terminal Services (continued)

  • Terminal Services has 2 major components:

    • Terminal server: Computer on which Terminal Services installed

      • Enables users to remotely run Windows applications

    • License server: Computer on which Terminal Services Licensing service installed

      • Stores client access license (CAL) tokens for group of terminal servers

      • Tracks license tokens that have been issued

      • Implementing Terminal Services Licensing consists of installation and activation

Guide to MCSE 70-270, 70-290


Implementing terminal services continued9 l.jpg

Implementing Terminal Services (continued)

  • Installing Terminal Services on a Terminal Server: Installed from Control Panel’s Add or Remove Programs applet

  • Activity 12-2: Installing Terminal Services

    • Objective: Install Windows Server 2003 Terminal Services

  • Licensing Service Installation: Must be at least one license server on network for Terminal Services to obtain license information

    • Installing terminal server and Licensing service on same computer is acceptable, but possibly costly

Guide to MCSE 70-270, 70-290


Implementing terminal services continued10 l.jpg

Implementing Terminal Services (continued)

Figure 12-4: The Terminal Services Licensing model

Guide to MCSE 70-270, 70-290


Implementing terminal services continued11 l.jpg

Implementing Terminal Services (continued)

  • Licensing Service Installation (continued):

    • Microsoft maintains Microsoft Certificate Authority and Licensing Clearinghouse to activate license servers and issue client license key packs

    • License servers support many types of licenses

      • Terminal Server Device Client Access Licenses

      • Terminal Server User Client Access Licenses

    • Can be installed on workgroup-based server, member server, or domain controller

      • Choice determines how and when terminal servers find a license server

Guide to MCSE 70-270, 70-290


Implementing terminal services continued12 l.jpg

Implementing Terminal Services (continued)

  • Licensing Service Activation: Use Activation Wizard in Terminal Services Licensing tool

    • Three connection methods:

      • Automatic connection (recommended)

      • Web Browser

      • Telephone

    • When license server activated, Microsoft supplies limited-use digital certificate to validate server ownership and identity

      • X.509 industry-standard certificate

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services l.jpg

Configuring and Managing Terminal Services

  • Three tools for Terminal Services administration:

    • Terminal Services Manager: Monitors and controls client access to terminal servers

    • Terminal Services Configuration: Configures terminal server settings and connections

    • Terminal Services Licensing: Stores and tracks Terminal Services client access licenses

  • Configuring Remote Connection Settings: Configure security and connection-related settings with Terminal Services Configuration tool

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services continued l.jpg

Configuring and Managing Terminal Services (continued)

Figure 12-6: The Terminal Services Configuration window

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services continued15 l.jpg

Configuring and Managing Terminal Services (continued)

  • Each network interface in Terminal Services server can be configured with only one Remote Desktop Protocol (RDP) connection

  • Most important settings to be checked when configuring a Terminal Services connection are encryption and authentication

    • Available encryption options include:

      • Low

      • Client Compatible

      • High

      • FIPS Compliant

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services continued16 l.jpg

Configuring and Managing Terminal Services (continued)

Table 12-3: Property settings for a Terminal Services connection

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services continued17 l.jpg

Configuring and Managing Terminal Services (continued)

  • Activity 12-3: Exploring Terminal Services Settings

    • Objective: Explore Terminal Services settings

  • Using Terminal Services Manager: View and manage terminal servers in Active Directory forest

    • Monitor users, sessions, and applications

    • Carry out administrative tasks

    • Three tabs in Terminal Services Manager Window:

      • Users, Sessions, and Processes

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services continued18 l.jpg

Configuring and Managing Terminal Services (continued)

  • Using Terminal Services Manager (continued):

    • Users tab: Name, connection time, state of user connection

    • Sessions tab: Displays user session information

    • Processes tab: Information about applications running in user’s session

    • Session types:

      • User

      • Consol

      • Listener

      • Idle

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services continued19 l.jpg

Configuring and Managing Terminal Services (continued)

Table 12-4: Terminal Services Manager actions

Guide to MCSE 70-270, 70-290


Configuring and managing terminal services continued20 l.jpg

Configuring and Managing Terminal Services (continued)

Table 12-4 (continued): Terminal Services Manager actions

Guide to MCSE 70-270, 70-290


Terminal services client software l.jpg

Terminal Services Client Software

  • After Terminal Services installed, client software packages automatically added to %systemroot%\System32\Clients\Tsclient\Win32

    • Contains files for installing RDCsoftware

    • Client software provided as both MSI file and Win32 executable

    • Recommended installation method is to share %systemroot%\System32\Clients\Tsclient\Win32 folder

      • Initiate installation over network manually or via group policies for software deployment

Guide to MCSE 70-270, 70-290


Installing applications l.jpg

Installing Applications

  • Applications must be installed in compatible mode for multiple users to access them simultaneously

    • Might need to reinstall some applications

  • On terminal server, software applications should be installed only in install mode

Guide to MCSE 70-270, 70-290


Configuring terminal services user properties l.jpg

Configuring Terminal Services User Properties

  • Terminal Services adds four tabs to Properties dialog boxes of user accounts:

    • Terminal Services Profile: Enable user as Terminal Services client

    • Remote control: Configure remote control properties for user account

    • Sessions: Set max session time and disconnect options

    • Environment: Configure programs to run automatically when user connects

Guide to MCSE 70-270, 70-290


Troubleshooting terminal services l.jpg

Troubleshooting Terminal Services

  • Tips/Guidelines for troubleshooting:

    • If user unable to log on, ensure client software settings correct and Allow logon to terminal server option set

    • If connection refused, ensure client meets server’s RDP encryption requirements

    • If all users unable to log on, ensure connection enabled

    • Each network interface can be configured with only one RDP connection to the network

Guide to MCSE 70-270, 70-290


Troubleshooting terminal services continued l.jpg

Troubleshooting Terminal Services (continued)

  • Tips/Guidelines for troubleshooting (continued):

    • If several users require sessions on RDP connection, might need to increase number of sessions available

    • If applications don’t run, might need to relax application security settings

    • Must have administrative rights on terminal server to manage and troubleshoot Terminal Services

Guide to MCSE 70-270, 70-290


Implementing remote access l.jpg

Implementing Remote Access

  • Remote access: Connecting to another computer or network using a public carrier

    • Useful when used with Terminal Services

  • Accomplished in two ways:

    • Direct dial-up

    • Virtual private network (VPN) over Internet

Guide to MCSE 70-270, 70-290


Dial up remote access l.jpg

Dial-up Remote Access

  • Computers connect and transfer information using modems and a phone line

    • When connection created between dial-up client and server, modems act like NICs

      • Allowing client to access resources on network

    • Easy availability

    • Example: Accessing Internet by dialing into an ISP

  • IP Address Management: When clients connect to Windows Server 2003 remote access server, assigned an IP address

    • DHCP or static pool of IP addresses

Guide to MCSE 70-270, 70-290


Dial up remote access continued l.jpg

Dial-up Remote Access (continued)

Figure 12-16: Using DHCP for the IP address configuration of a remote access client

Guide to MCSE 70-270, 70-290


Dial up remote access continued29 l.jpg

Dial-up Remote Access (continued)

  • Enabling and Configuring a Dial-up Server: Use Routing and Remote Access Service (RRAS) to enable and configure dial-up servers and clients

    • Must enable RRAS

    • Must configure Telephony Application Programming Interface (TAPI)

    • Must ensure modem(s) installed and properly configured

    • Enable RRAS for dial-up connections

      • Using the Routing and Remote Access snap-in in Windows Server 2003

Guide to MCSE 70-270, 70-290


Dial up remote access continued30 l.jpg

Dial-up Remote Access (continued)

  • Activity 12-4: Installing a Modem

    • Objective: Perform the steps necessary to install a modem on a Windows Server 2003 or XP system

  • Activity 12-5: Enabling RRAS as a Dial-up Server

    • Objective: Configure RRAS on your server to act as a dial-up server

  • Dial-up Security: User name and password are basis for remote access security

    • Only designated users allowed to connect

Guide to MCSE 70-270, 70-290


Dial up remote access continued31 l.jpg

Dial-up Remote Access (continued)

Figure 12-20: Dial-up security options

Guide to MCSE 70-270, 70-290


Dial up remote access continued32 l.jpg

Dial-up Remote Access (continued)

  • Dial-up Protocols: Dial-up connections require different protocols than LAN connections

    • Serial Line Internet Protocol (SLIP): Rarely used

    • Point-to-Point Protocol (PPP): Used by default

      • Can automatically configure clients with IP address information

      • Can support multiple LAN protocols

      • Can provide for scripting logon processes

      • PPP Multilink Protocol (PPP-MP): Enables combination of multiple remote access links into one logical connection

Guide to MCSE 70-270, 70-290


Dial up remote access continued33 l.jpg

Dial-up Remote Access (continued)

  • Dial-up Protocols (continued):

    • Both LAN and dial-up network protocols need to be considered when configuring Windows Server 2003 as a remote access server

  • Activity 12-6: Creating a Dial-up Connection

    • Objective: Configure your client to make a dial-up connection to an RRAS server

Guide to MCSE 70-270, 70-290


Vpn remote access l.jpg

VPN Remote Access

  • Virtual private network (VPN): Creates private connection between two entities across Internet

    • Advantages over dial-up:

      • Ease of setup

      • Speed

      • Encryption

  • Requires protocol to create secure “tunnel” for delivering TCP/IP packets across Internet

    • Point-to-Point Tunneling Protocol (PPTP)

    • Layer Two Tunneling Protocol (L2TP)

Guide to MCSE 70-270, 70-290


Vpn remote access continued l.jpg

VPN Remote Access (continued)

Figure 12-22: Initiating a VPN connection across the Internet

Guide to MCSE 70-270, 70-290


Vpn remote access continued36 l.jpg

VPN Remote Access (continued)

  • PPTP: Uses Microsoft Point-to-Point Encryption (MPPE)

    • Easy to configure

    • Works across NAT routers

    • Does not authenticate

  • L2TP: More secure than PPTP

    • Harder to configure

    • Works in conjunction with IPSec

    • Performs authentication

    • Limited support for traversing NAT routers

Guide to MCSE 70-270, 70-290


Vpn remote access continued37 l.jpg

VPN Remote Access (continued)

  • IP Security (IPSec): Negotiates secure encrypted communications link between client and server

    • Through public and private encryption keys

    • Two modes:

      • Transport: Links between any two systems on network

      • Tunneling: Only links between two specific systems

    • IPSec policies govern how system communicates through TCP/IP

    • Three sample IPSec policies given by Windows XP:

      • Client (Respond Only), Server (Request Security), and Secure Server (Require Security)

Guide to MCSE 70-270, 70-290


Vpn remote access continued38 l.jpg

VPN Remote Access (continued)

  • IP Security (continued):

    • Supports three types of authentication methods:

      • Kerberos version 5 (default and preferred)

      • Public key certificate

      • Preshared key (least secure)

  • Configuring a VPN Remote Access Server: Remote access server automatically configured for five PPTP ports and five L2TP ports

  • Activity 12-7: Configuring a Remote Access Server

    • Objective: Configure remote access server settings

Guide to MCSE 70-270, 70-290


Vpn remote access continued39 l.jpg

VPN Remote Access (continued)

Figure 12-23: Default VPN ports

Guide to MCSE 70-270, 70-290


Vpn remote access continued40 l.jpg

VPN Remote Access (continued)

Table 12-5: RRAS authentication methods

Guide to MCSE 70-270, 70-290


Remote access security l.jpg

Remote Access Security

  • Allowing Remote Access to Windows XP: Via dial-in or VPN connection

    • User’s name must be added to Remote Desktop Users list

  • Remote Access Policies: Stored on each remote access server

    • Policies applied to users can vary depending on server to which user connects

  • Activity 12-8: Creating a Remote Access Policy

    • Objective: Create a new remote access policy on your remote access server

Guide to MCSE 70-270, 70-290


Remote access security continued l.jpg

Remote Access Security (continued)

  • Activity 12-9: Creating a Client VPN Connection

    • Objective: Create a client VPN connection and then test it

  • Windows XP Internet Connection Firewall (ICF): Protect network connections from unwanted traffic

    • Stateful firewall

    • Configured by default to block most incoming traffic

    • Can configure to allow specific types of traffic without internal request

Guide to MCSE 70-270, 70-290


Remote access security continued43 l.jpg

Remote Access Security (continued)

Figure 12-32: The Services tab of the Advanced Settings dialog box

Guide to MCSE 70-270, 70-290


Remote access security continued44 l.jpg

Remote Access Security (continued)

  • ICF (continued):

    • Can log dropped traffic

  • Activity 12-10: Configuring ICF

    • Objective: Configure a dial-up network connection (Internet) as a firewall

Guide to MCSE 70-270, 70-290


Sharing internet connections l.jpg

Sharing Internet Connections

  • Internet Proxy Service: Proxy server acts as intermediary between internal network and Internet

  • Windows XP Internet Connection Sharing (ICS): Used to share a single network connection with small group of networked computers

    • Computer essentially becomes a limited DHCP server

  • Activity 12-11: Configuring ICS

    • Objective: Configure Windows XP Professional to share an Internet connection with other computers on a network

Guide to MCSE 70-270, 70-290


Sharing internet connections continued l.jpg

Sharing Internet Connections (continued)

Figure 12-36: Using a proxy server

Guide to MCSE 70-270, 70-290


Sharing internet connections continued47 l.jpg

Sharing Internet Connections (continued)

  • Configuring ICS:

    • On-demand dialing

    • Define internal services accessible to external users

    • By default, allows access to L2TP,PPTP, and IKE (IPSec) resources

      • Can enable access to other resources

    • Do not use on networks with domain controllers, DNS servers, gateway systems, DHCP servers, or with clients that must have static IP addresses

Guide to MCSE 70-270, 70-290


Sharing internet connections continued48 l.jpg

Sharing Internet Connections (continued)

  • Configuring ICS (continued):

    • ICS Troubleshooting Tasks:

      • Verify connection is active and functioning

      • Verify communication from other clients can access your system over the network

      • Make sure computer hosting ICS has IP address of 192.168.1.1 with mask of 255.255.255.0

      • Ensure ICS client computers set to automatically obtain IP address information

Guide to MCSE 70-270, 70-290


Windows server 2003 network address translation nat l.jpg

Windows Server 2003 Network Address Translation (NAT)

Figure 12-38: NAT routing

Guide to MCSE 70-270, 70-290


Summary l.jpg

Summary

  • Terminal Services is a Windows Server 2003 feature that allows users to connect to and run applications on a Windows Server 2003 system from their desktops as though they were sitting at the server console

  • Remote Desktop for Administration is a Windows Server 2003 feature that allows an administrator to connect to servers remotely for administrative purposes

  • Terminal Services requires that the Licensing service be installed and activated

Guide to MCSE 70-270, 70-290


Summary continued l.jpg

Summary (continued)

  • Terminal Services Manager can be used to monitor user connection information and the status of the terminal server

  • Remote access dial-in protocols include PPP and SLIP

  • Remote access security includes enabling user accounts through group policies and setting callback security options

  • VPN tunneling protocols include PPTP and L2TP

Guide to MCSE 70-270, 70-290


Summary continued52 l.jpg

Summary (continued)

  • Internet Connection Firewall is used to protect systems against unwanted traffic from the Internet or untrusted network connections

  • Proxy servers work directly with Web browsers to share Internet access through the proxy service

  • Internet Connection Sharing can be used in Windows XP to share a single ISP link with a small network

  • Network Address Translation (NAT) can be used on a Windows Server 2003 system to provide Internet access to clients

Guide to MCSE 70-270, 70-290


  • Login